Connecticut Data Privacy Act: A Practical Guide for Businesses
A practical guide to the Connecticut Data Privacy Act (CTDPA) for businesses: applicability thresholds (including the 2026 changes), consumer rights, enforcement with real examples, and how it compares to other state privacy laws.
Last updated: 2026-02-07
When TicketNetwork, a Connecticut-based ticket resale company, failed to honor consumer opt-out requests and lacked a proper privacy notice, the Connecticut Attorney General did not issue a warning. The AG's office brought an enforcement action that resulted in an $85,000 penalty -- one of the earliest enforcement actions under any state privacy law in the country. If your business handles personal data from Connecticut residents, the Connecticut Data Privacy Act (CTDPA) is not a future problem. It has been in effect since July 1, 2023, it already has enforcement precedent, and its applicability thresholds are about to get significantly broader.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Connecticut Data Privacy Act (Conn. Gen. Stat. §§ 42-515 to 42-525) and its 2024 amendments, as of the date of publication.
Does the CTDPA Apply to Your Business?
The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and meet one of two thresholds. But here is where it gets important: those thresholds are changing.
Current thresholds (through June 30, 2026):
- Process the personal data of at least 100,000 Connecticut consumers during a calendar year (excluding data processed solely to complete a payment transaction), OR
- Process the personal data of at least 25,000 Connecticut consumers AND derive revenue from the sale of personal data.
New threshold (effective July 1, 2026):
Under a 2024 amendment to the CTDPA, the applicability threshold drops to just 35,000 Connecticut consumers -- with no secondary revenue or data sales requirement. This is a major expansion. Businesses that were previously exempt because they processed data on fewer than 100,000 consumers (and did not sell data) will suddenly be covered if they exceed the 35,000-consumer mark.
Practical example: A SaaS platform with 50,000 Connecticut users that earns no revenue from data sales is currently exempt from the CTDPA. Starting July 1, 2026, it will be fully covered. A small marketing agency with 10,000 Connecticut contacts in its CRM would remain exempt even after the threshold change.
Who is exempt? The CTDPA exempts state and local government entities, nonprofits, higher education institutions, and entities and data regulated by HIPAA, GLBA, FCRA, FERPA, and the Driver's Privacy Protection Act. It also exempts certain employee and business-contact data from its scope.
No revenue threshold exists under the CTDPA -- similar to Virginia's VCDPA and unlike California's CCPA/CPRA, which requires $25 million in annual revenue.
What Rights Do Connecticut Consumers Have?
The CTDPA grants Connecticut residents seven privacy rights. Businesses must respond to consumer requests within 45 days, with one possible extension of 45 days if reasonably necessary (with notice to the consumer).
Right to Access. Consumers can confirm whether a controller is processing their personal data and access that data.
Right to Correction. Consumers can request correction of inaccurate personal data.
Right to Deletion. Consumers can request deletion of personal data provided by the consumer or obtained about the consumer.
Right to Data Portability. Consumers can obtain their data in a portable and readily usable format that allows them to transfer it to another controller without hindrance.
Right to Opt Out of Sale. Consumers can opt out of the sale of their personal data.
Right to Opt Out of Targeted Advertising. Consumers can opt out of processing for targeted advertising purposes.
Right to Opt Out of Profiling. Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
The CTDPA also requires businesses to recognize universal opt-out preference signals for opt-out-of-sale and opt-out-of-targeted-advertising requests, effective January 1, 2025. This puts Connecticut alongside Colorado and California as states that mandate GPC-style signal recognition.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and access personal data |
| Correction | ✅ | Fix inaccurate personal data |
| Deletion | ✅ | Delete personal data held by the controller |
| Portability | ✅ | Obtain data in a portable format |
| Opt-out of sale | ✅ | Stop the sale of personal data |
| Opt-out of targeted ads | ✅ | Stop processing for targeted advertising |
| Opt-out of profiling | ✅ | Stop profiling with legal/significant effects |
| Non-discrimination | ✅ | Cannot penalize consumers for exercising rights |
What Your Business Must Do
The CTDPA's compliance requirements are consistent with the broader wave of state privacy laws, but the TicketNetwork enforcement action shows that the Connecticut AG expects real, operational compliance -- not just a privacy policy page.
Publish a clear privacy notice. Your privacy notice must disclose the categories of personal data you process, the purposes of processing, how consumers can exercise their rights (including the appeal process), the categories of personal data shared with third parties, the categories of those third parties, and an active email address or other mechanism for contacting you. If you sell personal data or use it for targeted advertising, this must be clearly stated.
Respond to consumer requests within 45 days. Build a documented intake, verification, and response process. You can extend the response period by 45 days if reasonably necessary, but you must inform the consumer within the initial 45-day window and explain why. If you deny a request, you must state the reason and provide appeal instructions.
Implement an appeal process. If a consumer's request is denied, they have the right to appeal. You must respond to the appeal within 60 days. If you deny the appeal, you must inform the consumer of their right to file a complaint with the Connecticut Attorney General.
Honor universal opt-out preference signals. Starting January 1, 2025, businesses must recognize browser-based or device-based opt-out signals (such as GPC) as valid opt-out requests for the sale of personal data and targeted advertising. If your website does not detect and honor these signals, you are out of compliance.
Obtain consent for sensitive data processing. The CTDPA requires opt-in consent before processing sensitive data, including data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, and genetic or biometric data used for identification. For children's data (under 13), you must obtain consent consistent with COPPA.
Conduct data protection assessments. Assessments are required for processing activities that present a heightened risk of harm, including targeted advertising, the sale of personal data, profiling that produces legal or significant effects, processing of sensitive data, and any processing that presents a heightened risk of harm to consumers.
Establish processor contracts. Written agreements with data processors must include processing instructions, confidentiality obligations, deletion or return of data requirements, cooperation with assessments and consumer requests, and audit provisions.
Practice data minimization. Limit data collection to what is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers.
How Is the CTDPA Enforced?
The CTDPA is enforced exclusively by the Connecticut Attorney General. There is no private right of action.
Violations are treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA), with a maximum penalty of $5,000 per violation. The AG can also seek injunctive relief and recover costs.
The cure period has expired. The CTDPA originally provided a 60-day cure period allowing businesses to remedy violations before facing enforcement. This cure period expired on December 31, 2024. Since January 1, 2025, the AG has full discretion to bring enforcement actions without offering a cure opportunity.
The TicketNetwork enforcement action. In 2024, the Connecticut Attorney General reached an enforcement settlement with TicketNetwork, Inc., a Stafford Springs-based online ticket marketplace. The company was found to have failed to honor consumer opt-out requests, failed to provide an adequate privacy notice, and did not have proper data processing agreements in place. The settlement resulted in an $85,000 penalty and required the company to implement a comprehensive privacy compliance program. This was one of the first enforcement actions under any state comprehensive privacy law in the United States, and it sent a clear signal that the Connecticut AG takes the CTDPA seriously.
The AG's office has indicated that enforcement priorities include businesses that fail to honor universal opt-out signals, companies that process children's data improperly, and entities that lack adequate privacy notices.
How the CTDPA Compares to Other State Privacy Laws
The CTDPA is architecturally similar to Virginia's VCDPA but stands out for its early enforcement activity, its universal opt-out requirement, and its upcoming threshold reduction.
| Feature | Connecticut (CTDPA) | California (CCPA/CPRA) | Virginia (VCDPA) |
|---|---|---|---|
| Effective date | Jul 1, 2023 | Jan 1, 2020 / Jan 1, 2023 | Jan 1, 2023 |
| Consumer threshold | 100K → 35K (Jul 2026) | 100K consumers/households | 100K (or 25K + 50% revenue from data sales) |
| Revenue threshold | None | $25 million | None |
| Universal opt-out signal | Required (from Jan 1, 2025) | Required | Not required |
| Max penalty per violation | $5,000 | $2,500 ($7,500 intentional) | $7,500 |
| Cure period | Expired Dec 31, 2024 | None | Expired Jan 1, 2025 |
| Sensitive data consent | Opt-in required | Opt-out (limit use) | Opt-in required |
| Known enforcement | TicketNetwork ($85K) | Multiple (Sephora, DoorDash, etc.) | None publicly reported |
| Private right of action | No | Limited (data breaches only) | No |
Compared to Virginia's VCDPA, the CTDPA has a lower per-violation penalty ($5,000 vs. $7,500) but has already produced enforcement actions, while Virginia has not yet publicly reported any. The CTDPA also requires universal opt-out signal recognition, which Virginia does not. Compared to California's CCPA/CPRA, the CTDPA lacks a private right of action, which reduces litigation exposure, but the lower threshold coming in July 2026 means more businesses will be covered. For businesses also dealing with Maryland's MODPA, note that Connecticut's 35,000-consumer threshold (from July 2026) matches Maryland's current threshold, making both laws relevant for businesses with moderate-sized consumer bases.
Action Checklist for Small Businesses
If the CTDPA applies to your business -- or will apply after the July 2026 threshold change -- here is your priority list:
- Check whether the July 2026 threshold change brings you into scope. If you process data on more than 35,000 Connecticut consumers, start preparing now. The threshold drops from 100,000 to 35,000 with no data-sales requirement.
- Implement universal opt-out signal recognition. Ensure your website detects and honors GPC signals. Test with browsers that support GPC (Firefox, Brave, DuckDuckGo).
- Conduct a data inventory. Map what personal data you collect, where it lives, who you share it with, and the purposes of processing.
- Update your privacy notice. Include all CTDPA-required disclosures: data categories, purposes, third parties, rights, and appeal instructions.
- Build a DSAR response process. Set up documented procedures for intake, identity verification, processing, and response within 45 days.
- Get opt-in consent for sensitive data. Review all categories of sensitive data you process and ensure affirmative consent is in place.
- Review and update processor contracts. Ensure all vendor agreements include CTDPA-required provisions.
- Learn from the TicketNetwork case. The AG specifically targeted failure to honor opt-outs, missing privacy notices, and absent data processing agreements. Make sure those three areas are airtight.
Key Dates
- July 1, 2023: CTDPA takes effect.
- December 31, 2024: 60-day cure period expires.
- January 1, 2025: Universal opt-out mechanism requirement takes effect.
- July 1, 2026: Applicability threshold drops from 100,000 to 35,000 consumers.
References
- Connecticut Data Privacy Act: Conn. Gen. Stat. §§ 42-515 to 42-525 (S.B. 6, Public Act No. 22-15). Full text on Connecticut General Assembly site
- 2024 CTDPA Amendments: Public Act No. 24-151 (threshold change and universal opt-out). Amendment text
- Connecticut Unfair Trade Practices Act (CUTPA): Conn. Gen. Stat. § 42-110b et seq.
- TicketNetwork Enforcement: Office of the Connecticut Attorney General, enforcement settlement 2024.
- Global Privacy Control: GPC specification
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to build a DSAR process that keeps you ahead of Connecticut's evolving requirements? Our DSAR Compliance Guide walks you through every step, or download a DSAR Response Template to start handling consumer requests with confidence.